LDAP bind error in IDP

Muthuraman Sethuraman Sethuraman (US - Advisory) muthuraman.sethuraman at pwc.com
Mon May 30 08:21:19 EDT 2016 

Hi Experts,

I am continuously getting this exception while logging in.
I am able to connect offline to LDAP, but not through the IDP..
Please help me in identifying the issue..

2016-05-30 15:38:30,662 - WARN
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:175] -
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by muthu produced
exception
org.ldaptive.LdapException: javax.naming.NamingException: [LDAP: error code
1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v1772]; remaining name 'DC=idp,DC=yourdomain,DC=com'
        at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
LdapErr: DSID-0C0906DD, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, v1772]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)


*My ldap.properties file is like as follows...*

# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS

## Authenticator strategy, either anonSearchAuthenticator,
bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator                   = anonSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL=ldap://idp.yourdomain.com:389
idp.authn.LDAP.useStartTLS=false
idp.authn.LDAP.useSSL=false
idp.authn.LDAP.connectTimeout=3000

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates                =
%{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
idp.authn.LDAP.trustStore                       =
%{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
## NOTE: there is a separate property used for attribute resolution
idp.authn.LDAP.returnAttributes                 =
passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator,
bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN=DC=idp,DC=yourdomain,DC=com
idp.authn.LDAP.subtreeSearch=true
idp.authn.LDAP.userFilter=(cn={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser at domain.com
idp.authn.LDAP.bindDN=Administrator at idp.yourdomain.com
idp.authn.LDAP.bindDNCredential=password

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s at domain.com
idp.authn.LDAP.dnFormat=CN=%s at idp.yourdomain.com
,CN=shib-users,DC=idp,DC=yourdomain,DC=com

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver
configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN              =
%{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              =
%{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.bindDNCredential    =
%{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS         =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   =
%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        =
(uid=$resolutionContext.principal)
idp.attribute.resolver.LDAP.returnAttributes    = cn,homephone,mail

Thanks,
Muthu

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160530/47ea49e0/attachment-0001.html>

More information about the users mailing list